Rbot.DXG is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. Rbot.DXG has a file size of 515,072 bytes. It uses the network connection: - Looks for an Internet connection.
- Connects to "87.118.111.15" on port 34567 (TCP).
- Sends data stream (18 bytes) to remote address "87.118.111.15", port 34567.
- Connects to IRC Server.
Rbot.DXG drops the following files on the hard drive: - C:\WINDOWS\SYSTEM32\sys.exe (515072 bytes)
It also changes Windows registry: - Creates value "ATI Video Driver Controls"="sys.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates value "ATI Video Driver Controls"="sys.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
- Creates key "HKLM\Software\Microsoft\OLE".
- Sets value "ATI Video Driver Controls"="sys.exe" in key "HKLM\Software\Microsoft\OLE".
- Sets value "ATI Video Driver Controls"="sys.exe" in key "HKLM\System\CurrentControlSet\Control\Lsa".
- Creates value "ATI Video Driver Controls"="sys.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
- Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices".
- Sets value "ATI Video Driver Controls"="sys.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices".
- Creates key "HKCU\Software\Microsoft\OLE".
- Sets value "ATI Video Driver Controls"="sys.exe" in key "HKCU\Software\Microsoft\OLE".
- Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".
- Sets value "ATI Video Driver Controls"="sys.exe" in key "HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".
It creates the following mutex to ensure only one instance is running: blahs1. It also contains anti-debugging code, is executed every time Windows starts.
|
